pip v26.1 adds support for relative dependency cooldowns

pip v26.1 adds support for relative dependency cooldowns

Articles

Title: pip v26.1 adds support for relative dependency cooldowns

URL Source: https://sethmlarson.dev/pip-relative-dependency-cooldowns

Markdown Content:

pip v26.1 adds support for relative dependency cooldowns — Seth Larson

Blog : About : RSS : Blogroll

pip v26.1 adds support for relative dependency cooldowns

Seth Larson @ 2026-04-27

My work as the Security Developer-in-Residence at the Python Software Foundation is sponsored by Alpha-Omega. Thanks to Alpha-Omega for supporting security in the Python ecosystem.

I published a blog post two months ago about how to hack relative dependency cooldowns into pip v26.0 with crontab. Now with pip v26.1 available, this hack is no longer required! Time to upgrade my pip and delete that cron job...

Now in pip v26.1 you can use uploaded-prior-to in your ~/.config/pip/pip.conf file or --uploaded-prior-to= as a CLI option with relative RFC 3339 duration values. pip supports setting days using “PND” where N is the number of days.

For example, using the following as your ~/.config/pip/pip.conf file will only install packages that are at least 7 days old on the Python Package Index:

[install] uploaded-prior-to = P7D

Because this setting is in your global pip config, it means that you won't have to remember to set the option when invoking pip install. Using a relative value also means you won't have to repeatedly set new dates to receive new releases of the packages you use.

Using relative dependency cooldowns means that installing directly from a public index such as the Python Package Index (PyPI) will benefit from manual malware reporting, triaging, and removal efforts. The vast majority of malware and supply chain attacks published are detected and removed within hours of being uploaded to the index. Using relative dependency cooldowns means indexes have time to respond to malicious software and keep you safe.

Reminder that dependency cooldowns should be paired with a dependency management strategy that prioritizes dependency releases that fix vulnerabilities. You don't want to be waiting for days for a dependency cooldown to clear while your service is vulnerable. Managing, reviewing, upgrading, and deploying vulnerability patches should be a deliberate task, not one that happens "on-accident" due to an upgrade-by-default installation strategy.

Andrew Nesbitt has published a comprehensive review of dependency cooldowns across many different package managers. Thanks to William Woodruff who originally published this approach.

Wow, you made it to the end!